Thursday, June 30, 2016

When
we type a URL in the address bar, our computer makes a DNS query to
appropriate DNS servers and it gets the corresponding IP address,
using which it accesses the target system. Protocols like SSL/TLS,
HTTPS can ensure that the communication between the server and the
client, after the domain name resolution is done for the server, is
encrypted. But, what if an attacker takes advantage of the DNS
communication between the client and the DNS server at the time of
domain name resolution and affects that to transfer the traffic to
malicious servers or make a DoS attack ? DNS Cookies is a security
mechanism which is developed for that purpose.

DNS Cookies is
a lightweight DNS transaction security mechanism that protects DNS
servers and DNS clients from a variety of attacks like DoS attacks,
DNS Amplification attacks, DNS Cache Poisoning etc. It is a
lightweight mechanism and can work with other existing DNS
transaction security mechanisms. It can even work in the presence of
NAT and NAT – Protocol Transaction (NAT-PT).

Let’s understand
what DNS Cookies is actually and how it works.

Security
Concerns of DNS

There are a number
of security concerns in the existing DNS system. Some of them are
mentioned below :

DNS
Server Denial of Service Attack

When a DNS client
makes a DNS request to DNS servers, it causes much computaional
burden to the DNS serevers. A recursive server may issue one or more
requests and process the responses, which takes muc computational
resources. The situation may even get worse when DNSSEC is used, as
DNSSEC performs many cryptographic computations to verify the
authenticity of the DNS transation.

So, if an attacker
forges source IP address and sends many DNS requests to the DNS
servers, it would be very hard to identify that the requests are
forged ones. Moreoevr, it is impossible to restrict IP addresses from
which DNS requests should be honored and discarded otherwise.

As a result, an
attacker can take advantage of that and send a large number of DNS
requests to the DNS servers, so that the DNS servers get exhausted
resulting in a DoS attack.

DNS
Cache Poisoning

For the first time we type a URL in the addressbar, our computer will
make a DNS query to appropriate DNS Server and once it gets a
response, it will store the IP address in its DNS Cache, with a
timestamp upto which the entry remains valid.

Within that time, if
we type google.com again, our computer will look at its DNS Cache for
the entry.

Suppose, our
computer has made a DNS query and waiting for a response from the DNS
Servers. But, instead of an authentic response it gets a response
containing IP address of the attacker's website. So, its DNS Cache
will be poisoned and next time onwards, whenever the computer will
try to resolve the IP address of the same URL, it will end up being
to the attacker's website.

In similar way, DNS
Cache of any DNS Server also may get poisoned. Because, ISP's DNS
Server gets response from other DNS Servers and it stores the
responses in its cache. If that cache is poisoned, the same poisoned
entry will spread to all home routers and from them to all computers.

DNS
Amplification Attack

If
an attacker sends lots of DNS queries to DNS servers, but forges the
IP address of a victim machne as the source IP address of all the
packets, lots of DNS responses will be generated by the servers and
all of them will reach the victim machine. Normally without any
security mechanism, DNS servers cannot find out if the source IP of a
DNS request is a forged one.As
a result, as DNS responses are much larger in size, the responses
will end up flooding the victim machine with responses and consuming
its bandwidth. And, it will cause a DoS attack to the victim machine.

Existing
DNS Security

There are a number of existing security mechanisms which can be used
to secure DNS transactions. But, each of them has its own
disadvantages.

For
example, DNSSEC(How does
DNSSEC work ?) is a security extension which can be used to
verify the authenticity of a DNS transaction. DNSSEC can ensure that
the response coming from a DNS server is an authentic one and it no
doubt protects us from attacks like DNS Hijacking and DNS Cache
Poisoning.

But, as mentioned earlier, DNSSEC performs many cryptographic
computations to ensure security, which increases the computaional
burden on the DNS servers. As a result, if an attacker forges IP
addresses and sends many DNS requests to the DNS servers, it will
aggravate the situation and can easily cause a DoS attack.

Another
security mechanism is Transaction Signature or TSIG(How
does TSIG work ? ) It uses cryptographic keys to establish a
trust relationship between a DNS client and a DNS server and secure
the DNS transation. TSIG provides good security, but it is
non-trivial to deploy. It imposes much burden to the existing DNS
system like the burden of pre-agreement and distribution of
cryptoraphic keys, keeping track of server side key state and
synchronization between a DNS client and a DNS server.

DNS Cookies is a lightweight security mechanism, which can be
implemented easily with the existing DNS system and can work together
with other security mechanisms. It does not have much overhead of
pre-configuration etc.

How
does DNS Cookies work ?

In DNS Cookies mechanism, each DNS server and each DNS client
maintain a cookie. Each of them maintains a different cookie which
can be used at the time of DNS transaction to make sure that the DNS
request has indeed come from an authentic DNS client and its source
IP address is not forged.

A
client cookieis 8
byte long and it is a pseudorandom function of client IP, server IP
and a secret quantity known only to the client. This pseudorandom
function is secret to the client and can be changed periodically.
Each DNS client will have a different cookie, which can be used with
the DNS request to verify its authenticity. As a DNS cookie is only
returned to the IP address from which the request was generated, it
cannot be used to track internet users.

Similarly,
each DNS server with different IP will have a different server
cookie. This server cookie is a
pseudoransom function of client cookie, client IP and a secret
quntity known only to the server. This pseudorandom function is
secret to the server and can be changed periodically. A DNS server
must send different cookies for different clients.

DNS Cookies mechanism works in the following way :

A DNS client sends a DNS request and includes its client cookie
along with the request. If it knows the server cookie, it sends the
server cookie along with its own cookie.

The server receives the DNS request from the client with the client
cookie. If the DNS request contains only the client cookie and not
any server cookie, the server calculates a server cookie using the
secret pseudorandom function using the client IP, received client
cookie and the secret quantity known to the server. The server then
processes the request and sends its cookie to the client, so that
the client can refer it in future communications.

On the other hand, if the server receives a server cookie along with
the client cookie, it will verify the cookie and then process the
request. It will then generate a response and send that along with
the new server cookie if it generates one.

Different DNS clients behind a NAT box can use their own local IP
addresses to have different client cookies. And, based upon these
diferent client cookies, different server cookies can be generated
which can be used in the DNS transactions without much confusion.

So, be aware of different security mechanisms so that you can protect
your systems in a better way and stay safe, stay secured.

Sunday, June 19, 2016

A zero-day threat is
a threat that exploits an unknown security vulnerability, even before
the developers of the software are aware of it. It uses the unknown
vulnerability in the software and creates complicated problems of
data theft and identity theft. The threat is known as “zero-day”
because once the flaw is discovered, the developers get zero-day to
plan and advise mitigation against the threat.

Attack
Vectors

Zero-day
vulnerabilities can be exploited by the attackers through several
attack vectors :

When a user
visits a malicious website, the malicious code in the website can
exploit some security vulnerability in the web browser to infect the
system.

Cybercriminals
can use social engineering to infect a system. For example, they may
send a phishing email with an attachment, on clicking on which
malicious code may start execution and download the malware into the
system, thereby infecting it.

How to prevent Zero Day Threat ?

Use only
essential applications. A zero day threat mostly takes advantage
of security vulnerabilities of applications to infect systems. And,
lesser the applications, lesser are the vulnerabilities.

As mentioned
earlier, a zero-day threat takes advantage of security
vulnerabilities of Operating Systems and other commonly used
software to infect a system. So, patch the Operating Systems and
other software with most recent security patches.

Thursday, June 16, 2016

Device
Fingerprinting is a technology using which information can be
collected from a remote device so that the device can be identified
uniquely. This technology is used to determine whether a computer
being communicated is a trusted one. It does so by measuring various
parameters like browsing data, Operating Systems, connection
attributes etc and then by determining a risk profile of the device
using which the trust factor of the device can be determined.

Why
do we need Device Fingerprinting ?

Using a fake
account, username, email address or IP address for each fraud attack
is easy for a cyber criminal. But, using different devices each time
is not so simple. And, that is the main motivation behind Device
Fingerprinting.

Using Device
Fingerprinting, a service provider can uniquely identify and track
the device that accesses the service. It can determine the trust
factor of the device, based upon which it can determine fraudulent
activities and blacklist a fraudulent device once detected.

Device
Fingerprinting is a powerful tool which can recognise returning
criminals, even if he changes his name, IP address or browser
cookies.

How
does Device Fingerprinting detect fraudulent activities ?

Device
Fingerprinting can detect a fraudulent device in a number of ways :

It can detect
anomaly in a device based on factors like – whether the real IP
address and location of the device are hidden, whether the device is
a part of a botnet (What
is a botnet ? ) etc.

It can
fingerprint a device based upon whether the connected device is
trying to exfiltrate a large amount of data over a short period of
time and take decision based on that.

It can
determine whether any fraudulent activities were done previously
from the same device, ISP or location and determine trust factor of
the device based on that.

It can
determine whether accounts or subscripions from the connected device
are being accessed or shared illegally.

It can even
blacklist a device based on whether the device was previously found
to be involved in any fraudulent activities.

Characteristics
of Device Fingerprinting

A Device
Fingerprinting solution should have the following characteristics :

Uniqueness
– The device should be well differentiated from other devices
based on the factors on which fingerprinting is done. In other
words, the fingerprint should contain enough entropy.

Persistence
– The fingerprint should be able to be used for a considerablt
long amount of time. For example, fingerprints based on Operating
Systems data is more persistent than that on browser data.

Resistance
– The fingerprints should be resistent, i.e. it should not be able
to be tampered easily by the fraudsters. For example, fingerprints
based on cookies are not much resistant, as it can easily be deleted
or copied.

Integration
– Device Fingerprinting technology used should be easily
integrated with the business requirements. For example, it is good
if a set of web-APIs enable integration of Device Fingerprinting
into the existing business.

Zero
Impact – Device Fingerprinting solution should have no
significant impact on customer experience and IT infrastructure.
Customers should not need to install some additional software or use
some hardware token.

No Delay
– There should be no signifacnt delay in the Device Fingerprinting
solution. It should be able to calculate device risk in real time.

First-time
Fraud Detection – Device Fingerprinting solution should be
able to effectiuvely protect against first-time fraud attempts. It
can be done by looking at a number of factors like whether the
device is hiding its IP, location or Geo, whether the device is
compromised by malware or part of a botnet etc.

Various
methods of Device Fingerprinting

There are two types
of Device Fingerprinting :

Active
Fingerprinting

Passive
Fingerprinting

Active
Fingerprinting

Active
Fingerprinting is invasive and it requires the device to be
fingerprinted to install additional software. It can access unique
parameters of the device like drive serial number, device MAC address
etc, based on which it can calculate the risk profile of the device.
This method is more accurate, but as it requires end users to install
additional software and give permissions, it may not be feasible
always.

Passive
Fingerprinting

Passive
Fingerprinting is done without any obvious query to the client
machine and hence, it is less invasive. It mainly uses information on
TCP connection, Operating Systems, browser settings etc to profile
the device. These attributes are mostly anonymous and has relatively
less impact on the customer's privacy. As a result, this method is
quite feasible for ecommerce, online media or retail financial
businesses.

Browser
Fingerprinting – It
uses information on HTML, Javascript, Flash etc available in the
browser to profile the device. It may also use a combination of
information like screen resolution, browser type, clock time,
timezone, language etc to create a fingerprint.

HTTP
Fingerprinting – It
uses information available while communicating to the device using
an HTTP connection. The information may include HTTP compression
type, proxy support, language etc.

TCP
Fingerprinting – It
uses information available on a TCP connection with the device, like
connection speed etc.

Where
is Device Fingerprinting used ?

Device
Fingerprinting is used for fraud detection, protection against
account hijacking, anti-bot and anti-scraping services, enterprise
security management, protection against DDoS attacks etc. Bank or
financial transactional websites can use Device Fingerprinting to
isolate fraudulent patterns and stop them before causing any damage.

Device
Fingerprintingcan also be
used for real-time targeted marketing, campaign measurement,
profiling customers, limiting devices for accessing specific services
etc, though the use of Device Fingerprinting for certain purposes
raise the question of privacy.

Device
Fingerprinting and Privacy

Use
of Device Fingerprinting in certain cases does raise a concern for
privacy advocates. Though this technology is mainly used for online
fraud detection, it can pose a potential privacy concern for users if
used otherwise.

For
example, device profile obtained through Device Fingerprinting can be
used for :

identify a user

track
and analyse a user's browsing activity

collect enough information about the user to draw inferences about
him or her

And, this can lead to a number of privacy concerns.

For example :

There
can be a number of reasons a user would want to remain anonymous
online. The reasons may include concerns about surveillance,
personal safety, concerns about discrimination etc. Using Device
Fingerprinting, an application or service provider may be able to
identify a user, by looking at the fingerprint of the device. And,
this may lead to serious privacy concern, as the information
collected can be used by an adversary for causing harm or damages.

Device
Fingerprinting can be used to track and analyze a user's browsing
activities for the purpose of online marketing and advertising. This
is no doubt a privacy concern if it is done without the knowledge of
the user.

Using Device Fingerprinting, a service provider can draw inferences
about a user. For example, information on device CPU and Operating
Systems may reveal information about the user's purchasing
capability and proclivity. And, this information can be exploited to
discriminate a person from others, which is no doubt an invasion of
privacy.

Ideally,
if a service provider wants to implement Device Fingerprinting for a
purpose other than online fraud detection, itshould
do the following :

The
service provider should get explicit consent from the user, if the
technologyis used for the
purpose of any advertising, marketing research or website analytics

The service provider should give detailed information about the
fingerprinting, like how the data will be collected, used or the
purpose of the data collection.

So, Device
Fingerprinting is a technology which is a boon to us for the
detection and prevention of online fraud, and rather a bane of us if
used otherwise. This article just gave an introductory information
about Device Fingerprinting. Hope it helped.

Sunday, June 5, 2016

Authentication using
passwords and PINs are no longer considered to be safe. We have seen
a couple of recent incidences of data breach where user data is
compromised and exploited for even further attacks. Two factor
authentication is one option of dealing with it. But, that also
cannot be considered to be sufficient. A two factor authentication
system also can be compromised. We need some authentication mechanism
in which the authentication data can be provided by the individual
only and cannot be tampered with. And, that is the main motivation
behind using biometric system.

What is Biometrics ?

The word “biometrics”
is derived from the Greek word “bio” which means life and
“metric” which means to measure. Biometrics refers to the
automatic identification of a person based on his or her unique
physiological or behavioral characteristics, such as fingerprints,
voice pattern, iris, keystroke rhythm etc. These characteristics are
unique to every individual and cannot be tampered easily. And, that
is why biometric systems are today widely used for authentication
purposes.

History of
Biometrics

The history of
biometrics dates back to 1870, with the measurement system of
Alphonse Bertillon. In this measurement system, human body
measurements such as skull diameter, arm and foot length etc used to
be used to identify a person uniquely. Until 1920's, this system used
to be used for identifying prisoners.

Later in 1960s,
identification through fingerprints and facial measurements was
proposed. In 1960's, the techniques of digital signal processing were
developed and that enabled convenient processing and storing of the
biometric data. And, that led to identification of individuals in an
automated way.

Voice and fingerprints
recognition systems were later developed and their applications
included high security access control, personal locks and
authentication of financial transactions since 1960's.

Later, biometric system
based on face recognition and iris recognition was developed. And,
today biometric systems based on fingerprints and face recognition,
iris pattern recognition or keystroke rhythm and voice recognition
are widely used.

Why Biometrics

There are a number of
reasons for which biometrics are supposed to be reliable enough to be
used for authentication purposes :

Biometric data of
an individual can be produced by the individual only and the
individual has to be physically present at the time of
authentication. It is not easy to tamper with biometric data. And,
this biometric system much reliable, as it can prevent illegitimate
access based on stolen credentials.

As biometric data
is unique for every individual and can be produced by the individual
only, it can provide negative identification. If an individual is
enrolled in a biometric system, he cannot later deny his enrollment.

In biometrics, one
does not need to remember a huge number of credentials, as it
happens in case of passwords or PINs. A password or PIN can be
easily forgotten or broken if not strong enough. But, biometric data
of an individual is strong enough not to guess or break.

In biometrics, one
does not need to carry any physical tokens for authentication, as it
is done for smart cards, magnetic stripe cards, photo ID cards,
physical keys etc. So, biometric authentication is much more
convenient for an individual.

Characteristics of
Biometric Data

A biometric data should
have the following characteristics so that it can reliably be used
for authentication purposes :

Biometric data
should be constant over a long period of time. There should be no
significant differences in the biometric data based on factors like
age, disease etc.

Biometric data of
an individual should be unique and significantly different from
another individual.

The captured
biometric data should be conveniently stored in a format, which is
easy to handle.

Biometric data of
an individual should be impractical to mask or manipulate.

Biometric data of
an individual should be digitally comparable with that of another
individual.

Biometric data
must be irreproducible by other means, unless the individual himself
or herself produces the data.

Biometric data has
to be accurate. It should not have any false acceptance or false
rejection rate.

How does Biometric
System work ?

A biometric system
typically works in the following way :

An individual
produces his or her biometric data. Normally, the biometric data is
captured by a sensing device like a fingerprints scanner or a video
camera.

Distinguishing
characteristics are extracted from the raw biometric sample and
converted into a biometric template.

The mathematical
representation of the biometric template is registered and stored in
the database.

Later, when an
individual tries to authenticate producing his or her biometrics,
the stored biometric data is compared with the given data for
verification.

Types of Biometrics

Biometrics can be of
two types :

Physiological
Biometrics

Behavioral
Biometrics

Physiological
biometrics is based on some physiological characteristics of an
individual, such as fingerprints, iris pattern, face recognition etc.

And, behavioral
biometrics is based on behavioral characteristics of an individual,
such as keystroke rhythm, signature, voice recognition etc.

The main differences
between these two biometrics is, physiological biometrics does not
get influenced by psycho-emotional state of an individual. It remains
unchanged over time and emotional state. But, behavioral biometrics
can be influenced by factors like emotional state or disease of an
individual. So, physiological biometrics is supposed to be more
reliable than behavioral biometrics.

Let's look at a couple
of biometric systems and their advantages and disadvantages.

Face Recognition

Each individual has
distinctive features in his facial image based on eyebrows, width of
eyes, breadth of nose etc. The facial recognition system first
captures the facial image of an individual and then differentiates
the face from the background. It then extract features from the
facial image.

There are around 80
features that a facial recognition system can make use of and these
include jaw line length, eye socket depth, distance between the eyes,
cheekbone shape, width of the nose etc.

The distinctive
features are then suitably represented in a mathematical format and
stored in the database. Later, this data is retrieved and compared
with the collected data for authentication.

Advantages

It is not
intrusive.

It is hands-free
and convenient.

It can be done
from a distance. This can be useful if used responsibly for
surveillance purpose for identifying criminals from a crowd.

Disadvantages

A facial
recognition system should be resistant to factors like facial
expressions etc.

If not used
responsibly with the permission of the individual, face recognition
can be a major privacy violation.

Iris Recognition

The iris is the colored
ring around the pupil of a human being. It eyes has complex random
patterns, which are unique and can be seen even from a certain
distance. An iris recognition system anlyzes the complex random
patterns of an iris and detects a person's identity based upon that.

Advantages

Iris recognition
technology is not very intrusive as it does not need direct contact
between the subject and the camera.

Iris recognition
can be done using simple video technology.

Error rates of
iris recognition system is very low and it can be reliably used for
authentication purpose.

Disadvantages

Scanning iris may
be inconvenient, as it can be covered by objects like eyelid or
eyelashes.

Iris recognition
biometrics may prove difficult for people with blindness or
cataract.

The camera
involved for taking iris image should have correct amount of
illumination, otherwise it may prove difficult to capture the
accurate image of the iris.

Fingerprints
Recognition

In this method, digital
representation of a fingerprint is scanned using a fingerprint scanner
and then features are extracted based on ridges and valleys of the
finger. Later, these features are used to identify and authenticate
an individual. Among all biometric techniques, fingerprint
recognition is the most popular method and is widely used.

Advantages

Fingerprints of an
individual develops at the age of about seven months and remains
unchanged for the rest of the life. These characteristics do not
change easily and so, can be used reliably for authentication.

Disadvantages

For some people it
is intrusive, as it is still related to criminal identification.

Captured biometric
data is large and needs compression to store efficiently.

Keystroke Rhythm
Recognition

Each individual has his
own typing rhythm and based on that biometric authentication can be
done. The main features used in this technology are :

Latencies between
two successive keystrokes.

Finger placement.

Pressure applied
on the keys.

Overall typing
speed.

Advantages

It is simple to
implement and does not require any specialized hardware.

Disadvantages

Keystroke rhythm
can be influenced by various circumstances like psycho-emotional
state, hand injury, fatigueness of the individual etc. So, it has
limited accuracy.

Challenges of
Biometric Authentication

There are a couple of
challenges of using biometric authentication :

If stored
biometric data is compromised, it would be a major privacy concern.
Biometric data of an individual, unlike other credentials like
passwords or PINs, cannot be changed.

One has to make
sure the collected biometric data is not influenced by noise or
errors. Biometric systems must endure failures within a rational
bound and give reliable results.

Are Biometric Systems
vulnerable to hacking ?

Biometric system is
still in its infancy and cannot be considered to be 100% secure. A
biometric system can be compromised in a number of ways :

Attackers can use
a backdoor to bypass authentication and gain unauthorized access of
the system.

Attackers can
provide facsimile of the actual biometrics to gain access. In the
worst case, the attacker can use body parts not attached to the
owner to gain access. A biometric system should be able to tell the
difference between a live body part and an amputated one.

At the time of
enrollment, biometric data of an individual is collected and stored
in a database, so that it can later be compared with the collected
biometric data for authentication. An attacker can perpetrate a
Man-In-The-Middle Attack while storing the biometric data and
manipulate the data to take advantage of that later.

So, biometric systems
cannot be considered to be fully secure. However, two factor
authentication comprising of biometric data of an individual and
something you know like a password or PIN will increase the security
to a great extent and provide effective countermeasures.

Biometrics and
Privacy

Privacy is a big
concern for biometrics. We have seen couple of incidences where the
use of biometrics call for questions for privacy advocates. For
example, using face recognition technology, one can monitor public
places and use the scanned images to indentify known criminals. But,
if the scanning is done without the knowledge of the public and
utilizing a technology which is not fully understood for its impacts,
then it is a big privacy concern.

Privacy concern also
exists about how the biometric data stored in a database can be used.
Using or sharing the biometric data without the individual's
knowledge is also a big privacy concern.

Also, biometric systems
should be safeguarded from fraudulent activities and data breaches.
Biometrics of an individual, unlike other credentials, cannot be
changed.

Applications of
Biometrics

Biometrics are used in
a number of places :

It is used in
military programs.

To survey a busy
place to identify known criminals.

To access accounts
in banks.

For ATM
transactions, using special purpose kiosks.

To secure online
banking.

For PC or network
access.

In air travel, to
reduce the inspection processing time for authorized travellers.

To control
travelers crossing the national or state border.

Some countries
include biometric information in passports, in terms of barcode or
smart chips.

So, no authentication
system is fully secure. But, biometrics if used responsibly with
caution, can enhance security to a large extent. This article just
gave some basic information on biometrics. Hope you liked it.